Beware the 'pod-slurping' employee

A US security expert who devised an application which can fill an iPod with business critical data in a matter of minutes is urging companies to address the very real threat of data theft.

Abe Usher, a 10-year veteran of the security industry, created an application which runs on an iPod and can search corporate networks for files likely to contain business critical data. At a rate of around 100MB every two minutes, it can scan and download the files onto the portable storage units in a process dubbed 'pod-slurping'.

To the naked eye, somebody doing this would look like any other employee listening to their iPod at their desk. Alternatively the person stealing data need not even have access to a keyboard but can simply plug into a USB port on any active machine.

Usher denies his creation is an irresponsible 'call to arms' for malicious employees and would-be data thieves and instead insists his scare tactics are intended to stir companies into action to protect themselves against the threat.

He said: "This is a growing area of concern and there's not a lot of awareness about it. And yet in two minutes it's possible to extract about 100MB of Word, Excel, PDF files - basically anything which might contain business data - and with a 60GB iPod you could probably have every business document in a medium sized firm."

Andy Burton, founder of device management firm Centennial, said Usher walks a fine line but believes he is acting with the best intentions and agrees that companies who still haven't recognised the threat need to be given a wake-up call.

Burton said: "Nobody wakes up in the morning worrying about antivirus or their firewall because we all know we need those things and we all have them in place. Now the greatest threat is very much inside the organisation but I'm not sure there are that many businesses who have realised it's possible to plug in an iPod and just walk away with the whole business in a matter of minutes."

Usher said companies shouldn't expect any help from their operating system, the most popular of which lack the granularity to manage this threat effectively without impairing other functions.

He said: "Vista looks like it's going to include some capability for better managing USB devices but with the time it's going to take to test it and roll it out we're probably two years away from seeing a Microsoft operating system with the functionality built in.

"So companies have to ask themselves 'can we really wait two years?'"

Citing FBI figures which put the average cost of data theft at $350,000, Usher argues they can't.

He said: "The cost of being proactive is less than the cost of reacting to an incident."